Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe
Resource
win10v2004-en-20220113
General
-
Target
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe
-
Size
35KB
-
MD5
8cafb41223f26193c89396684af43a25
-
SHA1
7a85c7825db906e71b95e711a6502b186d8bc4b1
-
SHA256
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761
-
SHA512
e65d6e31407b70bde61cf96aa0e6c11a4c49937bcb3c7517742fac5509a92ba4c4104280c9fdbc925d52df765348f90a05b0c9df6d4ae7e3b9a49fd1195712b6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exepid process 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.execmd.exedescription pid process target process PID 1520 wrote to memory of 964 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe MediaCenter.exe PID 1520 wrote to memory of 620 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe cmd.exe PID 1520 wrote to memory of 620 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe cmd.exe PID 1520 wrote to memory of 620 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe cmd.exe PID 1520 wrote to memory of 620 1520 02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe cmd.exe PID 620 wrote to memory of 1148 620 cmd.exe PING.EXE PID 620 wrote to memory of 1148 620 cmd.exe PING.EXE PID 620 wrote to memory of 1148 620 cmd.exe PING.EXE PID 620 wrote to memory of 1148 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe"C:\Users\Admin\AppData\Local\Temp\02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02cfcdc462714b186e05ae43f430a9adbac37273445ee2c561a04c0e3bed7761.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
183cbd0e60561da5e478f0327b085663
SHA12557120708862d868a251f2e6477efb4b61e600c
SHA256d1cf98133346a019c44d1a8ae21490d542871b51a427979b806046cb291012bc
SHA51200eb9441cb7a4e161cec23e319dd2e658d140ea23bb5a0beb409ff05f25cbb94e50fe1dae12421adc37effa308618d561eb0c2927aacf40b7c2ea82f09a2170b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
183cbd0e60561da5e478f0327b085663
SHA12557120708862d868a251f2e6477efb4b61e600c
SHA256d1cf98133346a019c44d1a8ae21490d542871b51a427979b806046cb291012bc
SHA51200eb9441cb7a4e161cec23e319dd2e658d140ea23bb5a0beb409ff05f25cbb94e50fe1dae12421adc37effa308618d561eb0c2927aacf40b7c2ea82f09a2170b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
183cbd0e60561da5e478f0327b085663
SHA12557120708862d868a251f2e6477efb4b61e600c
SHA256d1cf98133346a019c44d1a8ae21490d542871b51a427979b806046cb291012bc
SHA51200eb9441cb7a4e161cec23e319dd2e658d140ea23bb5a0beb409ff05f25cbb94e50fe1dae12421adc37effa308618d561eb0c2927aacf40b7c2ea82f09a2170b
-
memory/1520-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB